Applies: apache 1.3.x / apache 2.0.x Required apache module: - Scope: global server configuration Type: security
Description: How to disable the HTTP TRACE method on recent apache versions.
Most vulnerability scanners (like the popular nessus, but commercial ones also) will complain (normally as a low thread or warning level) about TRACE method being enabled on the web server tested.
Normally you will have this enabled by default, but if you want to test if it is really enabled on your server you just have to telnet on the port your web server is running and request for ”TRACE / HTTP/1.0” if you get a positive reply it means TRACE is enabled on your system. The output of a server with TRACE enabled will look like:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
Traditionally experts will suggest to disable this using some rewrite rules like:
1 2 3
(this needs to be added somewhere in your main apache config file outside of any vhost or directory config).
Still this has the disadvantage that you need to have mod_rewrite enabled on the server just to mention one. But for apache versions newer than 1.3.34 for the legacy branch, and 2.0.55 (or newer) for apache2 this can be done very easily because there is a new apache variable that controls if TRACE method is enabled or not:
This needs to be added in the main server config and the default is enabled (on). TraceEnable off causes apache to return a 403 FORBIDDEN error to the client.
After setting this and reloading the apache config the same server as above shows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26